Assessing information security risk in healthcare organizations of different scale

Abstract This paper will discuss the execution of Operationally Critical, Threat, Asset and Vulnerability Evaluations (OCTAVEsm) at three healthcare organizations of different scale, complexity and geographic location. Each conducted their evaluations with similar objectives; execution of a Risk Assessment to meet HIPAA security rule requirements. A comparison of results identified technical and organizational observations common to all three organizations, suggesting that these issues may be prevalent throughout the industry. The resource limits of organizations and the time required to implement effective protection strategies and mitigation plans significantly influenced decisions regarding which risks were ultimately selected for mitigation, deferral, or acceptance. The evaluation of risks in terms of organizational impact was found to be critically important and was the most influential factor considered when prioritizing risks for mitigation. This observation supports the concept of a decentralized decision-making approach to information security in the healthcare industry, allowing organizations to prioritize risks for mitigation according to their own criteria. The utilization of an industry-recognized risk assessment methodology such as OCTAVE provided an element of due diligence to the process while allowing each organization the freedom to consider their own unique circumstances, tailor the methodology and document their decisions accordingly.